The purpose of this article is to implement an identity theft
prevention program as required by the Fair and Accurate Credit Transactions
Act of 2003 (Pub. L. 108-159) and its implementing regulations, known
as the Red Flags Rule.
(Ordinance 617-10 adopted 5/17/2010)
(a)
The
Federal Trade Commission (FTC) requires every creditor to implement
an identify theft prevention program ("program") under section 114
of the Fair and Accurate Credit Transactions Act. The program requirements
are published in 16 Code of Federal Regulations section 681.2.
(b)
Identity
theft is defined as a fraud committed or attempted using identifying
information of another person without authority. The city adopts this
program to comply with FTC rules and regulations.
(c)
In
drafting this program, the city considered: (i) the methods it provides
to open its accounts, (ii) the methods it provides to access its accounts,
and (iii) its previous experiences with identity theft. Based on these
considerations, the city hereby determines that the city is a low
to moderate risk entity and, as a result, develops and implements
the streamlined identity theft prevention program set forth in this
article.
(Ordinance 617-10 adopted 5/17/2010)
The FTC regulations identify numerous red flags that must be
considered in adopting an identity theft prevention program. A red
flag is a pattern, practice, or specific activity that indicates the
possible existence of identity theft. The city identifies the following
red flags:
(1)
Notifications from consumer reporting agencies.
The
city does not request, receive, obtain or maintain information about
its customer from any consumer reporting agency.
(2)
Suspicious documents.
Possible red flags include:
(A)
Presentation of documents appearing to be altered or forged;
(B)
Presentation of photographs or physical descriptions that are not
consistent with the appearance of the applicant or customer;
(C)
Presentation of other documentation that is not consistent with the
information provided when the account was opened or existing customer
information;
(D)
Presentation of information that is not consistent with the account
application; or
(E)
Presentation of an application that appears to have been altered,
forged, destroyed, or reassembled.
(3)
Suspicious personal identifying information.
Possible
red flags include:
(A)
Personal identifying information is being provided by the customer
that is not consistent with other personal identifying information
provided by the customer or is not consistent with the personal identifying
information provided by the customer or is not consistent with the
customer's account application;
(B)
Personal identifying information is associated with known fraudulent
activity;
(C)
The social security number (if required or obtained) is the same
as that submitted by another customer;
(D)
The telephone number or address is the same as that submitted by
another customer;
(E)
The applicant failed to provide all personal identifying information
requested on the application; or
(F)
The applicant or customer cannot provide authenticating information
beyond that which generally would be available.
(4)
Unusual use of or suspicious activity related to an account.
Possible red flags include:
(A)
A change of address for an account followed by a request to change
the account holder's name;
(B)
A change of address for an account followed by a request to add new
or additional authorized users or representatives;
(C)
An account is not being used in a way that is consistent with prior
use (such as late or no payments when the account has been timely
in the past);
(D)
A new account is used in a manner commonly associated with known
patterns of fraudulent activity (such as customer fails to make the
first payment or makes the first payment but no subsequent payments);
(E)
Mail sent to the account holder is repeatedly returned as undeliverable;
or
(F)
The city receives notice of unauthorized activity on the account.
(5)
Notice regarding possible identify theft.
Possible red
flags include: notice from a customer, an identity theft victim, law
enforcement personnel or other reliable sources regarding possible
identity theft or phishing related to covered accounts.
(Ordinance 617-10 adopted 5/17/2010)
Before changing a name and address of an existing covered account,
the city requires proof of property ownership or rental such as documentation
from escrow, copy of a real estate contract or deed of trust.
(Ordinance 617-10 adopted 5/17/2010)
All personal information, personal identifying information,
account applications and account information collected and maintained
by the city shall be a confidential record of the city and shall not
be subject to disclosure unless otherwise required by state or federal
law.
(Ordinance 617-10 adopted 5/17/2010)
Access to covered account information shall be limited to employees
that provide customer service and technical support for city departments
or offices offering covered accounts. Any computer that has access
to customer account or personal identifying information shall be password
protected and all computer screens shall lock after no more than fifteen
(15) minutes of inactivity. All paper and non-electronic based account
or customer personal identifying information shall be stored and maintained
in a locked room or cabinet, and access shall only be granted by the
city manager or his/her designee.
(Ordinance 617-10 adopted 5/17/2010)
All internet or telephone credit card payments shall only be
processed through a third party service provider which certifies that
it has an identity theft prevention program operating and in place.
Credit card payments accepted in person shall require a reasonable
connection between the person or entity billed for the services and
the credit card owner.
(Ordinance 617-10 adopted 5/17/2010)
(a)
Suspicious
transactions include, but are not limited to, the presentation of
incomplete applications, unsigned applications, payment by someone
other than the person named on the covered account, or presentation
of inconsistent signatures, addresses or identification.
(b)
Suspicious
transactions shall not be processed and shall be immediately referred
to the city manager or his/her designee.
(Ordinance 617-10 adopted 5/17/2010)
The compliance officer or his/her designee shall use his/her
discretion on whether to report suspicious transactions to appropriate
law enforcement departments.
(Ordinance 617-10 adopted 5/17/2010)
All transactions processed through a third party service provider
shall be permitted only if the service provider certifies that it
has complied with the FTC regulations and has in place a consumer
identity theft prevention program.
(Ordinance 617-10 adopted 5/17/2010)
The compliance officer for this identity theft prevention program
shall be the city manager or his/her designee. The city manager shall
conduct training of all city employees that transact business using
covered accounts. The city manager shall periodically review this
program and recommend any necessary updates to the city council.
(Ordinance 617-10 adopted 5/17/2010)
The city manager shall provide an annual report to the mayor.
The contents of the annual report shall address and evaluate at least
the following:
(1)
The
effectiveness of the policies and procedures of the city in addressing
the risk of identity theft in connection with the opening of covered
accounts and with respect to access to existing covered accounts;
(2)
Service
provider arrangements;
(3)
Incidents
involving identity theft with covered accounts and the city's response;
(4)
Changes
in methods of identity theft and the prevention of identity theft;
and
(5)
Recommendations
for changes to the city's identity theft prevention program.
(Ordinance 617-10 adopted 5/17/2010)
